From 3b0d7e5a668aa087af512f0ecb204acf61723a63 Mon Sep 17 00:00:00 2001
From: welpo <welpo@users.noreply.github.com>
Date: Thu, 30 May 2024 14:33:09 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=93=9D=20docs:=20CSP=20requirements=20to?=
 =?UTF-8?q?=20use=20built-in=20syntax=20highlighting?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves #320.
---
 config.toml                       |  2 ++
 content/blog/security/index.ca.md | 11 +++++++++--
 content/blog/security/index.es.md | 11 +++++++++--
 content/blog/security/index.md    | 11 +++++++++--
 theme.toml                        |  1 +
 5 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/config.toml b/config.toml
index 62f4bcf..2f14b7f 100644
--- a/config.toml
+++ b/config.toml
@@ -34,6 +34,7 @@ index_format = "elasticlunr_json"
 
 [markdown]
 highlight_code = true
+# To use a Zola built-in theme, CSP needs to allow unsafe-inline for style-src.
 highlight_theme = "css"
 smart_punctuation = true
 
@@ -266,6 +267,7 @@ footer_menu = [
 # Default directive is self.
 # Default config, allows for https remote images and embedding YouTube and Vimeo content.
 # This configuration (along with the right webserver settings) gets an A+ in Mozilla's Observatory: https://observatory.mozilla.org
+# Note: to use a Zola built-in syntax highlighting theme, allow unsafe-inline for style-src.
 allowed_domains = [
     { directive = "font-src", domains = ["'self'", "data:"] },
     { directive = "img-src", domains = ["'self'", "https://*", "data:"] },
diff --git a/content/blog/security/index.ca.md b/content/blog/security/index.ca.md
index c56744d..1b8bffe 100644
--- a/content/blog/security/index.ca.md
+++ b/content/blog/security/index.ca.md
@@ -1,7 +1,7 @@
 +++
 title = "Seguretat per defecte"
 date = 2023-02-22
-updated = 2024-03-15
+updated = 2024-05-30
 description = "tabi té una Política de Seguretat de Contingut (CSP) fàcilment personalitzable amb valors segurs per defecte. Obtingues tranquil·litat i un A+ en l'Observatori de Mozilla."
 
 [taxonomies]
@@ -32,6 +32,13 @@ Aquesta funcionalitat permet personalitzar fàcilment les capçaleres de seguret
 
 Pots desactivar les capçaleres (permitint-ho tot) en una pàgina, secció, o globalment configurant `enable_csp = false` en el front matter o en el fitxer `config.toml`.
 
-**Nota**: [habilitar els comentaris](@/blog/comments/index.ca.md) o [les analítiques](@/blog/mastering-tabi-settings/index.ca.md#analisi-web) automàticament permet scripts/frames/estils/connexions en funció del servei habilitat.
+**Notas**:
+
+- [Habilitar els comentaris](@/blog/comments/index.ca.md) o [les analítiques](@/blog/mastering-tabi-settings/index.ca.md#analisi-web) automàticament permet scripts/frames/estils/connexions en funció del servei habilitat.
+- Per utilitzar un [tema de resaltat de sintaxis integrat a Zola](https://www.getzola.org/documentation/getting-started/configuration/#syntax-highlighting), has de permetre `unsafe-inline` a la directiva `style-src`:
+
+    ```
+    { directive = "style-src", domains = ["'self'", "'unsafe-inline'"] },
+    ```
 
 [^1]: Requereix una configuració adequada del servidor web (p. ex., redirigir el trànsit HTTP a HTTPS).
diff --git a/content/blog/security/index.es.md b/content/blog/security/index.es.md
index 8ba92cf..ec46cdb 100644
--- a/content/blog/security/index.es.md
+++ b/content/blog/security/index.es.md
@@ -1,7 +1,7 @@
 +++
 title = "Seguro por defecto"
 date = 2023-02-22
-updated = 2024-03-15
+updated = 2024-05-30
 description = "tabi tiene una Política de Seguridad de Contenido (CSP) fácilmente personalizable con configuraciones seguras. Obtén tranquilidad y una calificación de A+ en Mozilla Observatory."
 
 [taxonomies]
@@ -32,6 +32,13 @@ Esta función permite personalizar fácilmente las cabeceras de seguridad del si
 
 Puedes desactivar las cabeceras (permitiendo todo) en una página, sección, o globalmente configurando `enable_csp = false` en el front matter o en el archivo `config.toml`.
 
-**Nota**: [habilitar los comentarios](@/blog/comments/index.es.md) o [las analíticas](@/blog/mastering-tabi-settings/index.es.md#analisis-web) automáticamente permite scripts/frames/estilos/conexiones en función del servicio habilitado.
+**Notas**:
+
+- [Habilitar los comentarios](@/blog/comments/index.es.md) o [las analíticas](@/blog/mastering-tabi-settings/index.es.md#analisis-web) automáticamente permite scripts/frames/estilos/conexiones en función del servicio habilitado.
+- Para usar un [tema de resaltado de sintaxis integrado en Zola](https://www.getzola.org/documentation/getting-started/configuration/#syntax-highlighting), has de permitir `unsafe-inline` en la directiva `style-src`:
+
+    ```
+    { directive = "style-src", domains = ["'self'", "'unsafe-inline'"] },
+    ```
 
 [^1]: Requiere una configuración adecuada del servidor web (por ejemplo, redirigir el tráfico HTTP a HTTPS).
diff --git a/content/blog/security/index.md b/content/blog/security/index.md
index a9b167e..a1c99cb 100644
--- a/content/blog/security/index.md
+++ b/content/blog/security/index.md
@@ -1,7 +1,7 @@
 +++
 title = "Secure by default"
 date = 2023-02-22
-updated = 2024-03-15
+updated = 2024-05-30
 description = "tabi has an easily customizable Content Security Policy (CSP) with safe defaults. Get peace of mind and an A+ on Mozilla Observatory."
 
 [taxonomies]
@@ -32,6 +32,13 @@ This feature allows you to easily customize the website's security headers to al
 
 You can disable the CSP (allowing all connections) on a page, section, or globally by setting `enable_csp = false` in the front matter or `config.toml` file.
 
-**Note**: [enabling comments](@/blog/comments/index.md) or [analytics](@/blog/mastering-tabi-settings/index.md#analytics) automatically allows scripts/frames/styles/connections as needed from the respective services.
+**Notes**:
+
+- [Enabling comments](@/blog/comments/index.md) or [analytics](@/blog/mastering-tabi-settings/index.md#analytics) automatically allows scripts/frames/styles/connections as needed from the respective services.
+- To use a [Zola built-in syntax highlighting theme](https://www.getzola.org/documentation/getting-started/configuration/#syntax-highlighting), you need to allow `unsafe-inline` in the `style-src` directive:
+
+    ```
+    { directive = "style-src", domains = ["'self'", "'unsafe-inline'"] },
+    ```
 
 [^1]: Requires proper webserver configuration (e.g. redirecting HTTP traffic to HTTPS).
diff --git a/theme.toml b/theme.toml
index 34e9f6d..51e0c80 100644
--- a/theme.toml
+++ b/theme.toml
@@ -221,6 +221,7 @@ encode_plaintext_email = true  # Setting is ignored if email is already encoded.
 # Default directive is self.
 # Default config, allows for https remote images and embedding YouTube and Vimeo content.
 # This configuration (along with the right webserver settings) gets an A+ in Mozilla's Observatory: https://observatory.mozilla.org
+# Note: to use a Zola built-in syntax highlighting theme, allow unsafe-inline for style-src.
 allowed_domains = [
     { directive = "font-src", domains = ["'self'", "data:"] },
     { directive = "img-src", domains = ["'self'", "https://*", "data:"] },